Current Profiles of Joint Controllership in the Processing of Personal Data

Vera Ugolini

With the introduction of Art. 26 of the GDPR, the situation of joint controllership has been regulated by the European Legislator, establishing particular duties and obligations for the Joint Data Controllers. The Joint Controllers are recognized as jointly responsible, by way of objective liability - or semiobjective - for the protection of personal data towards the subject concerned by the processing. Furthermore, the Joint Controllers are obliged to enter into an internal joint controllership agreement, according to the second paragraph of Art. 26 of the GDPR, in order to jointly
determine the purposes and means of the processing of personal data, and to share the obligations and related responsibilities in carrying out the processing activities.

Joint controllership is therefore a legally regulated and highly  actual topic, since it can exist in any area of the processing activity, from the joint management of telematic platforms to the sharing of data on cloud computing systems, up to the collection of biological samples and their study for scientific research purposes. It is therefore important to identify the various hypotheses of joint controllership in the countless situations that may arise in real life, thanks also to the hypotheses provided by Art. 29 Working Party in its Opinion on the notion of Data Controller.